<div class="tile article" data-collapsable="" id="signatures">
 <h2 data-collapser-click="">
  <div class="ma-icon large">
   <svg height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
    <path d="M19 5v14H5V5h14m1.1-2H3.9c-.5 0-.9.4-.9.9v16.2c0 .4.4.9.9.9h16.2c.4 0 .9-.5.9-.9V3.9c0-.5-.5-.9-.9-.9zM11 7h6v2h-6V7zm0 4h6v2h-6v-2zm0 4h6v2h-6zM7 7h2v2H7zm0 4h2v2H7zm0 4h2v2H7z">
    </path>
   </svg>
  </div>
  Signatures
 </h2>
 <div data-collapser-window="">
  <div class="button-bar" id="ttp">
   <button class="button primary small" data-tactic-ttp="Defense Evasion">
    Defense Evasion
   </button>
   <button class="button primary small" data-tactic-ttp="Discovery">
    Discovery
   </button>
   <button class="button primary small" data-tactic-ttp="Persistence">
    Persistence
   </button>
   <button class="button primary small" data-tactic-ttp="Privilege Escalation">
    Privilege Escalation
   </button>
  </div>
  <div>
   <ul class="risk-rules">
    <li class="alert" data-technique-ttp="Persistence,Privilege Escalation,Defense Evasion,">
     <div class="title click">
      <b>
       Adds autorun key to be loaded by Explorer.exe on startup
       <span>
        2 TTPs  64 IoCs
       </span>
      </b>
      <div class="tags small">
       <a class="" href="/s?q=tags:persistence">
        persistence
       </a>
      </div>
     </div>
     <div class="fold hidden scroll-x">
      <div class="flex-wrap mitre">
       <div class="row">
        <a class="alert" data-modal-ttp="T1547.001" href="https://attack.mitre.org/techniques/T1547/001" target="_blank" title="Registry Run Keys / Startup Folder">
         <div class="hbox">
          <p>
           Registry Run Keys / Startup Folder
          </p>
          <div class="flex">
          </div>
         </div>
         <span>
          T1547.001
         </span>
        </a>
       </div>
       <div class="row">
        <a class="alert" data-modal-ttp="T1112" href="https://attack.mitre.org/techniques/T1112" target="_blank" title="Modify Registry">
         <div class="hbox">
          <p>
           Modify Registry
          </p>
          <div class="flex">
          </div>
         </div>
         <span>
          T1112
         </span>
        </a>
       </div>
      </div>
      <div class="hbox centered">
       <p>
        Processes:
       </p>
       <div class="tags flex">
        <span class="badge">
         Jjdmmdnh.exe
        </span>
        <span class="badge">
         Npojdpef.exe
        </span>
        <span class="badge">
         Kicmdo32.exe
        </span>
        <span class="badge">
         Mencccop.exe
        </span>
        <span class="badge">
         Niikceid.exe
        </span>
        <span class="badge">
         Iapebchh.exe
        </span>
        <span class="badge">
         Kklpekno.exe
        </span>
        <span class="badge">
         Mbkmlh32.exe
        </span>
        <span class="badge">
         Mlfojn32.exe
        </span>
        <span class="badge">
         Mofglh32.exe
        </span>
        <span class="badge">
         Ngdifkpi.exe
        </span>
        <span class="badge">
         Ngfflj32.exe
        </span>
        <span class="badge">
         Nplmop32.exe
        </span>
        <span class="badge">
         Ipllekdl.exe
        </span>
        <span class="badge">
         Jqilooij.exe
        </span>
        <span class="badge">
         Kmgbdo32.exe
        </span>
        <span class="badge">
         Kfbcbd32.exe
        </span>
        <span class="badge">
         Kpjhkjde.exe
        </span>
        <span class="badge">
         Mmldme32.exe
        </span>
        <span class="badge">
         Nodgel32.exe
        </span>
        <span class="badge">
         Keednado.exe
        </span>
        <span class="badge">
         Lfpclh32.exe
        </span>
        <span class="badge">
         Mlcbenjb.exe
        </span>
        <span class="badge">
         Mholen32.exe
        </span>
        <span class="badge">
         Kjifhc32.exe
        </span>
        <span class="badge">
         Jmplcp32.exe
        </span>
        <span class="badge">
         Nlekia32.exe
        </span>
        <span class="badge">
         Iipgcaob.exe
        </span>
        <span class="badge">
         Lapnnafn.exe
        </span>
        <span class="badge">
         Lcfqkl32.exe
        </span>
        <span class="badge">
         Melfncqb.exe
        </span>
        <span class="badge">
         Kjfjbdle.exe
        </span>
        <span class="badge">
         Knmhgf32.exe
        </span>
        <span class="badge">
         Kgemplap.exe
        </span>
        <span class="badge">
         Leimip32.exe
        </span>
        <span class="badge">
         Niebhf32.exe
        </span>
        <span class="badge">
         Ncmfqkdj.exe
        </span>
        <span class="badge">
         Lphhenhc.exe
        </span>
        <span class="badge">
         Mpjqiq32.exe
        </span>
        <span class="badge">
         Meppiblm.exe
        </span>
        <span class="badge">
         Jhljdm32.exe
        </span>
        <span class="badge">
         Nibebfpl.exe
        </span>
        <span class="badge">
         Nenobfak.exe
        </span>
        <span class="badge">
         65564e578ddb54c161f7daf6ee16954126c4b51ad1e671ef5b0ac792323bec4bN.exe
        </span>
        <span class="badge">
         Ileiplhn.exe
        </span>
        <span class="badge">
         Kincipnk.exe
        </span>
        <span class="badge">
         Ljibgg32.exe
        </span>
        <span class="badge">
         Laegiq32.exe
        </span>
        <span class="badge">
         Mbpgggol.exe
        </span>
        <span class="badge">
         Nekbmgcn.exe
        </span>
       </div>
      </div>
      <div>
       <table class="table bordered fitted">
        <thead class="small">
         <tr>
          <th>
           description
          </th>
          <th>
           ioc
          </th>
          <th>
           process
          </th>
         </tr>
        </thead>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Jjdmmdnh.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Npojdpef.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Kicmdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Mencccop.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Niikceid.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Iapebchh.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Kklpekno.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Mbkmlh32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Mlfojn32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Mofglh32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Ngdifkpi.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Ngfflj32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Nplmop32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Ipllekdl.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Iapebchh.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Jqilooij.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Kmgbdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Kfbcbd32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Kpjhkjde.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Mmldme32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Nodgel32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Kmgbdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Keednado.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Lfpclh32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Mlcbenjb.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Mofglh32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Mholen32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Kjifhc32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Jmplcp32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Jjdmmdnh.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Nlekia32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Iipgcaob.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Lapnnafn.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Lapnnafn.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Lcfqkl32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Melfncqb.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Ngfflj32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Ipllekdl.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Kjfjbdle.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Kjifhc32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Knmhgf32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Kgemplap.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Leimip32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Jmplcp32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Niebhf32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Ncmfqkdj.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Lphhenhc.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Lphhenhc.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Mpjqiq32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Lcfqkl32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Meppiblm.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Npojdpef.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Jhljdm32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Nibebfpl.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Nenobfak.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Mmldme32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          65564e578ddb54c161f7daf6ee16954126c4b51ad1e671ef5b0ac792323bec4bN.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Ileiplhn.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Kincipnk.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Ljibgg32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
         </td>
         <td>
          Laegiq32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Mbpgggol.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Mencccop.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
         </td>
         <td>
          Nekbmgcn.exe
         </td>
        </tr>
       </table>
      </div>
     </div>
    </li>
    <li class="alert">
     <div class="title">
      <b>
       Berbew
      </b>
      <p>
       Berbew is a backdoor written in C++.
      </p>
      <div class="tags small">
       <a class="" href="/s?q=tags:backdoor">
        backdoor
       </a>
       <a class="rose" href="/s/family:berbew" title="Family">
        berbew
       </a>
      </div>
     </div>
     <div class="fold hidden scroll-x">
     </div>
    </li>
    <li class="alert">
     <div class="title">
      <b>
       njRAT/Bladabindi
      </b>
      <p>
       Widely used RAT written in .NET.
      </p>
      <div class="tags small">
       <a class="" href="/s?q=tags:trojan">
        trojan
       </a>
       <a class="rose" href="/s/family:njrat" title="Family">
        njrat
       </a>
      </div>
     </div>
     <div class="fold hidden scroll-x">
     </div>
    </li>
    <li class="warning">
     <div class="title click">
      <b>
       Executes dropped EXE
       <span>
        64 IoCs
       </span>
      </b>
     </div>
     <div class="fold hidden scroll-x">
      <div class="hbox centered">
       <p>
        Processes:
       </p>
       <div class="tags flex">
        <span class="badge">
         Iipgcaob.exe
        </span>
        <span class="badge">
         Ilncom32.exe
        </span>
        <span class="badge">
         Ipllekdl.exe
        </span>
        <span class="badge">
         Icjhagdp.exe
        </span>
        <span class="badge">
         Iapebchh.exe
        </span>
        <span class="badge">
         Ileiplhn.exe
        </span>
        <span class="badge">
         Jhljdm32.exe
        </span>
        <span class="badge">
         Jofbag32.exe
        </span>
        <span class="badge">
         Jnkpbcjg.exe
        </span>
        <span class="badge">
         Jqilooij.exe
        </span>
        <span class="badge">
         Jmplcp32.exe
        </span>
        <span class="badge">
         Jjdmmdnh.exe
        </span>
        <span class="badge">
         Jghmfhmb.exe
        </span>
        <span class="badge">
         Kjfjbdle.exe
        </span>
        <span class="badge">
         Kjifhc32.exe
        </span>
        <span class="badge">
         Kmgbdo32.exe
        </span>
        <span class="badge">
         Kincipnk.exe
        </span>
        <span class="badge">
         Kklpekno.exe
        </span>
        <span class="badge">
         Kfbcbd32.exe
        </span>
        <span class="badge">
         Keednado.exe
        </span>
        <span class="badge">
         Kpjhkjde.exe
        </span>
        <span class="badge">
         Knmhgf32.exe
        </span>
        <span class="badge">
         Kicmdo32.exe
        </span>
        <span class="badge">
         Kgemplap.exe
        </span>
        <span class="badge">
         Knpemf32.exe
        </span>
        <span class="badge">
         Leimip32.exe
        </span>
        <span class="badge">
         Llcefjgf.exe
        </span>
        <span class="badge">
         Lapnnafn.exe
        </span>
        <span class="badge">
         Ljibgg32.exe
        </span>
        <span class="badge">
         Lmgocb32.exe
        </span>
        <span class="badge">
         Lfpclh32.exe
        </span>
        <span class="badge">
         Laegiq32.exe
        </span>
        <span class="badge">
         Lphhenhc.exe
        </span>
        <span class="badge">
         Ljmlbfhi.exe
        </span>
        <span class="badge">
         Lcfqkl32.exe
        </span>
        <span class="badge">
         Lfdmggnm.exe
        </span>
        <span class="badge">
         Mpmapm32.exe
        </span>
        <span class="badge">
         Mbkmlh32.exe
        </span>
        <span class="badge">
         Mlcbenjb.exe
        </span>
        <span class="badge">
         Moanaiie.exe
        </span>
        <span class="badge">
         Mbmjah32.exe
        </span>
        <span class="badge">
         Melfncqb.exe
        </span>
        <span class="badge">
         Mlfojn32.exe
        </span>
        <span class="badge">
         Mkhofjoj.exe
        </span>
        <span class="badge">
         Mbpgggol.exe
        </span>
        <span class="badge">
         Mencccop.exe
        </span>
        <span class="badge">
         Mlhkpm32.exe
        </span>
        <span class="badge">
         Mofglh32.exe
        </span>
        <span class="badge">
         Meppiblm.exe
        </span>
        <span class="badge">
         Mholen32.exe
        </span>
        <span class="badge">
         Mgalqkbk.exe
        </span>
        <span class="badge">
         Mmldme32.exe
        </span>
        <span class="badge">
         Mpjqiq32.exe
        </span>
        <span class="badge">
         Nhaikn32.exe
        </span>
        <span class="badge">
         Ngdifkpi.exe
        </span>
        <span class="badge">
         Nibebfpl.exe
        </span>
        <span class="badge">
         Nplmop32.exe
        </span>
        <span class="badge">
         Nckjkl32.exe
        </span>
        <span class="badge">
         Ngfflj32.exe
        </span>
        <span class="badge">
         Niebhf32.exe
        </span>
        <span class="badge">
         Npojdpef.exe
        </span>
        <span class="badge">
         Ncmfqkdj.exe
        </span>
        <span class="badge">
         Ngibaj32.exe
        </span>
        <span class="badge">
         Nekbmgcn.exe
        </span>
       </div>
      </div>
      <div>
       <table class="table bordered fitted">
        <thead class="small">
         <tr>
          <th>
           pid
          </th>
          <th>
           process
          </th>
         </tr>
        </thead>
        <tr>
         <td>
          2924
         </td>
         <td>
          Iipgcaob.exe
         </td>
        </tr>
        <tr>
         <td>
          1048
         </td>
         <td>
          Ilncom32.exe
         </td>
        </tr>
        <tr>
         <td>
          2620
         </td>
         <td>
          Ipllekdl.exe
         </td>
        </tr>
        <tr>
         <td>
          2376
         </td>
         <td>
          Icjhagdp.exe
         </td>
        </tr>
        <tr>
         <td>
          2788
         </td>
         <td>
          Iapebchh.exe
         </td>
        </tr>
        <tr>
         <td>
          2656
         </td>
         <td>
          Ileiplhn.exe
         </td>
        </tr>
        <tr>
         <td>
          2536
         </td>
         <td>
          Jhljdm32.exe
         </td>
        </tr>
        <tr>
         <td>
          2956
         </td>
         <td>
          Jofbag32.exe
         </td>
        </tr>
        <tr>
         <td>
          484
         </td>
         <td>
          Jnkpbcjg.exe
         </td>
        </tr>
        <tr>
         <td>
          1476
         </td>
         <td>
          Jqilooij.exe
         </td>
        </tr>
        <tr>
         <td>
          1988
         </td>
         <td>
          Jmplcp32.exe
         </td>
        </tr>
        <tr>
         <td>
          1800
         </td>
         <td>
          Jjdmmdnh.exe
         </td>
        </tr>
        <tr>
         <td>
          2280
         </td>
         <td>
          Jghmfhmb.exe
         </td>
        </tr>
        <tr>
         <td>
          2396
         </td>
         <td>
          Kjfjbdle.exe
         </td>
        </tr>
        <tr>
         <td>
          1960
         </td>
         <td>
          Kjifhc32.exe
         </td>
        </tr>
        <tr>
         <td>
          2844
         </td>
         <td>
          Kmgbdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          2132
         </td>
         <td>
          Kincipnk.exe
         </td>
        </tr>
        <tr>
         <td>
          2476
         </td>
         <td>
          Kklpekno.exe
         </td>
        </tr>
        <tr>
         <td>
          2360
         </td>
         <td>
          Kfbcbd32.exe
         </td>
        </tr>
        <tr>
         <td>
          408
         </td>
         <td>
          Keednado.exe
         </td>
        </tr>
        <tr>
         <td>
          3000
         </td>
         <td>
          Kpjhkjde.exe
         </td>
        </tr>
        <tr>
         <td>
          1612
         </td>
         <td>
          Knmhgf32.exe
         </td>
        </tr>
        <tr>
         <td>
          1156
         </td>
         <td>
          Kicmdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          896
         </td>
         <td>
          Kgemplap.exe
         </td>
        </tr>
        <tr>
         <td>
          2964
         </td>
         <td>
          Knpemf32.exe
         </td>
        </tr>
        <tr>
         <td>
          1644
         </td>
         <td>
          Leimip32.exe
         </td>
        </tr>
        <tr>
         <td>
          1596
         </td>
         <td>
          Llcefjgf.exe
         </td>
        </tr>
        <tr>
         <td>
          2648
         </td>
         <td>
          Lapnnafn.exe
         </td>
        </tr>
        <tr>
         <td>
          2764
         </td>
         <td>
          Ljibgg32.exe
         </td>
        </tr>
        <tr>
         <td>
          2820
         </td>
         <td>
          Lmgocb32.exe
         </td>
        </tr>
        <tr>
         <td>
          2812
         </td>
         <td>
          Lfpclh32.exe
         </td>
        </tr>
        <tr>
         <td>
          2568
         </td>
         <td>
          Laegiq32.exe
         </td>
        </tr>
        <tr>
         <td>
          2612
         </td>
         <td>
          Lphhenhc.exe
         </td>
        </tr>
        <tr>
         <td>
          796
         </td>
         <td>
          Ljmlbfhi.exe
         </td>
        </tr>
        <tr>
         <td>
          2028
         </td>
         <td>
          Lcfqkl32.exe
         </td>
        </tr>
        <tr>
         <td>
          1992
         </td>
         <td>
          Lfdmggnm.exe
         </td>
        </tr>
        <tr>
         <td>
          1700
         </td>
         <td>
          Mpmapm32.exe
         </td>
        </tr>
        <tr>
         <td>
          2040
         </td>
         <td>
          Mbkmlh32.exe
         </td>
        </tr>
        <tr>
         <td>
          328
         </td>
         <td>
          Mlcbenjb.exe
         </td>
        </tr>
        <tr>
         <td>
          1964
         </td>
         <td>
          Moanaiie.exe
         </td>
        </tr>
        <tr>
         <td>
          2720
         </td>
         <td>
          Mbmjah32.exe
         </td>
        </tr>
        <tr>
         <td>
          2192
         </td>
         <td>
          Melfncqb.exe
         </td>
        </tr>
        <tr>
         <td>
          808
         </td>
         <td>
          Mlfojn32.exe
         </td>
        </tr>
        <tr>
         <td>
          1576
         </td>
         <td>
          Mkhofjoj.exe
         </td>
        </tr>
        <tr>
         <td>
          3040
         </td>
         <td>
          Mbpgggol.exe
         </td>
        </tr>
        <tr>
         <td>
          1324
         </td>
         <td>
          Mencccop.exe
         </td>
        </tr>
        <tr>
         <td>
          1248
         </td>
         <td>
          Mlhkpm32.exe
         </td>
        </tr>
        <tr>
         <td>
          1052
         </td>
         <td>
          Mofglh32.exe
         </td>
        </tr>
        <tr>
         <td>
          3048
         </td>
         <td>
          Meppiblm.exe
         </td>
        </tr>
        <tr>
         <td>
          2120
         </td>
         <td>
          Mholen32.exe
         </td>
        </tr>
        <tr>
         <td>
          2640
         </td>
         <td>
          Mgalqkbk.exe
         </td>
        </tr>
        <tr>
         <td>
          2384
         </td>
         <td>
          Mmldme32.exe
         </td>
        </tr>
        <tr>
         <td>
          2492
         </td>
         <td>
          Mpjqiq32.exe
         </td>
        </tr>
        <tr>
         <td>
          1524
         </td>
         <td>
          Nhaikn32.exe
         </td>
        </tr>
        <tr>
         <td>
          1080
         </td>
         <td>
          Ngdifkpi.exe
         </td>
        </tr>
        <tr>
         <td>
          584
         </td>
         <td>
          Nibebfpl.exe
         </td>
        </tr>
        <tr>
         <td>
          2312
         </td>
         <td>
          Nplmop32.exe
         </td>
        </tr>
        <tr>
         <td>
          2272
         </td>
         <td>
          Nckjkl32.exe
         </td>
        </tr>
        <tr>
         <td>
          2288
         </td>
         <td>
          Ngfflj32.exe
         </td>
        </tr>
        <tr>
         <td>
          1948
         </td>
         <td>
          Niebhf32.exe
         </td>
        </tr>
        <tr>
         <td>
          1924
         </td>
         <td>
          Npojdpef.exe
         </td>
        </tr>
        <tr>
         <td>
          1512
         </td>
         <td>
          Ncmfqkdj.exe
         </td>
        </tr>
        <tr>
         <td>
          280
         </td>
         <td>
          Ngibaj32.exe
         </td>
        </tr>
        <tr>
         <td>
          2244
         </td>
         <td>
          Nekbmgcn.exe
         </td>
        </tr>
       </table>
      </div>
     </div>
    </li>
    <li class="warning">
     <div class="title click">
      <b>
       Loads dropped DLL
       <span>
        64 IoCs
       </span>
      </b>
     </div>
     <div class="fold hidden scroll-x">
      <div class="hbox centered">
       <p>
        Processes:
       </p>
       <div class="tags flex">
        <span class="badge">
         65564e578ddb54c161f7daf6ee16954126c4b51ad1e671ef5b0ac792323bec4bN.exe
        </span>
        <span class="badge">
         Iipgcaob.exe
        </span>
        <span class="badge">
         Ilncom32.exe
        </span>
        <span class="badge">
         Ipllekdl.exe
        </span>
        <span class="badge">
         Icjhagdp.exe
        </span>
        <span class="badge">
         Iapebchh.exe
        </span>
        <span class="badge">
         Ileiplhn.exe
        </span>
        <span class="badge">
         Jhljdm32.exe
        </span>
        <span class="badge">
         Jofbag32.exe
        </span>
        <span class="badge">
         Jnkpbcjg.exe
        </span>
        <span class="badge">
         Jqilooij.exe
        </span>
        <span class="badge">
         Jmplcp32.exe
        </span>
        <span class="badge">
         Jjdmmdnh.exe
        </span>
        <span class="badge">
         Jghmfhmb.exe
        </span>
        <span class="badge">
         Kjfjbdle.exe
        </span>
        <span class="badge">
         Kjifhc32.exe
        </span>
        <span class="badge">
         Kmgbdo32.exe
        </span>
        <span class="badge">
         Kincipnk.exe
        </span>
        <span class="badge">
         Kklpekno.exe
        </span>
        <span class="badge">
         Kfbcbd32.exe
        </span>
        <span class="badge">
         Keednado.exe
        </span>
        <span class="badge">
         Kpjhkjde.exe
        </span>
        <span class="badge">
         Knmhgf32.exe
        </span>
        <span class="badge">
         Kicmdo32.exe
        </span>
        <span class="badge">
         Kgemplap.exe
        </span>
        <span class="badge">
         Knpemf32.exe
        </span>
        <span class="badge">
         Leimip32.exe
        </span>
        <span class="badge">
         Llcefjgf.exe
        </span>
        <span class="badge">
         Lapnnafn.exe
        </span>
        <span class="badge">
         Ljibgg32.exe
        </span>
        <span class="badge">
         Lmgocb32.exe
        </span>
        <span class="badge">
         Lfpclh32.exe
        </span>
       </div>
      </div>
      <div>
       <table class="table bordered fitted">
        <thead class="small">
         <tr>
          <th>
           pid
          </th>
          <th>
           process
          </th>
         </tr>
        </thead>
        <tr>
         <td>
          2408
         </td>
         <td>
          65564e578ddb54c161f7daf6ee16954126c4b51ad1e671ef5b0ac792323bec4bN.exe
         </td>
        </tr>
        <tr>
         <td>
          2408
         </td>
         <td>
          65564e578ddb54c161f7daf6ee16954126c4b51ad1e671ef5b0ac792323bec4bN.exe
         </td>
        </tr>
        <tr>
         <td>
          2924
         </td>
         <td>
          Iipgcaob.exe
         </td>
        </tr>
        <tr>
         <td>
          2924
         </td>
         <td>
          Iipgcaob.exe
         </td>
        </tr>
        <tr>
         <td>
          1048
         </td>
         <td>
          Ilncom32.exe
         </td>
        </tr>
        <tr>
         <td>
          1048
         </td>
         <td>
          Ilncom32.exe
         </td>
        </tr>
        <tr>
         <td>
          2620
         </td>
         <td>
          Ipllekdl.exe
         </td>
        </tr>
        <tr>
         <td>
          2620
         </td>
         <td>
          Ipllekdl.exe
         </td>
        </tr>
        <tr>
         <td>
          2376
         </td>
         <td>
          Icjhagdp.exe
         </td>
        </tr>
        <tr>
         <td>
          2376
         </td>
         <td>
          Icjhagdp.exe
         </td>
        </tr>
        <tr>
         <td>
          2788
         </td>
         <td>
          Iapebchh.exe
         </td>
        </tr>
        <tr>
         <td>
          2788
         </td>
         <td>
          Iapebchh.exe
         </td>
        </tr>
        <tr>
         <td>
          2656
         </td>
         <td>
          Ileiplhn.exe
         </td>
        </tr>
        <tr>
         <td>
          2656
         </td>
         <td>
          Ileiplhn.exe
         </td>
        </tr>
        <tr>
         <td>
          2536
         </td>
         <td>
          Jhljdm32.exe
         </td>
        </tr>
        <tr>
         <td>
          2536
         </td>
         <td>
          Jhljdm32.exe
         </td>
        </tr>
        <tr>
         <td>
          2956
         </td>
         <td>
          Jofbag32.exe
         </td>
        </tr>
        <tr>
         <td>
          2956
         </td>
         <td>
          Jofbag32.exe
         </td>
        </tr>
        <tr>
         <td>
          484
         </td>
         <td>
          Jnkpbcjg.exe
         </td>
        </tr>
        <tr>
         <td>
          484
         </td>
         <td>
          Jnkpbcjg.exe
         </td>
        </tr>
        <tr>
         <td>
          1476
         </td>
         <td>
          Jqilooij.exe
         </td>
        </tr>
        <tr>
         <td>
          1476
         </td>
         <td>
          Jqilooij.exe
         </td>
        </tr>
        <tr>
         <td>
          1988
         </td>
         <td>
          Jmplcp32.exe
         </td>
        </tr>
        <tr>
         <td>
          1988
         </td>
         <td>
          Jmplcp32.exe
         </td>
        </tr>
        <tr>
         <td>
          1800
         </td>
         <td>
          Jjdmmdnh.exe
         </td>
        </tr>
        <tr>
         <td>
          1800
         </td>
         <td>
          Jjdmmdnh.exe
         </td>
        </tr>
        <tr>
         <td>
          2280
         </td>
         <td>
          Jghmfhmb.exe
         </td>
        </tr>
        <tr>
         <td>
          2280
         </td>
         <td>
          Jghmfhmb.exe
         </td>
        </tr>
        <tr>
         <td>
          2396
         </td>
         <td>
          Kjfjbdle.exe
         </td>
        </tr>
        <tr>
         <td>
          2396
         </td>
         <td>
          Kjfjbdle.exe
         </td>
        </tr>
        <tr>
         <td>
          1960
         </td>
         <td>
          Kjifhc32.exe
         </td>
        </tr>
        <tr>
         <td>
          1960
         </td>
         <td>
          Kjifhc32.exe
         </td>
        </tr>
        <tr>
         <td>
          2844
         </td>
         <td>
          Kmgbdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          2844
         </td>
         <td>
          Kmgbdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          2132
         </td>
         <td>
          Kincipnk.exe
         </td>
        </tr>
        <tr>
         <td>
          2132
         </td>
         <td>
          Kincipnk.exe
         </td>
        </tr>
        <tr>
         <td>
          2476
         </td>
         <td>
          Kklpekno.exe
         </td>
        </tr>
        <tr>
         <td>
          2476
         </td>
         <td>
          Kklpekno.exe
         </td>
        </tr>
        <tr>
         <td>
          2360
         </td>
         <td>
          Kfbcbd32.exe
         </td>
        </tr>
        <tr>
         <td>
          2360
         </td>
         <td>
          Kfbcbd32.exe
         </td>
        </tr>
        <tr>
         <td>
          408
         </td>
         <td>
          Keednado.exe
         </td>
        </tr>
        <tr>
         <td>
          408
         </td>
         <td>
          Keednado.exe
         </td>
        </tr>
        <tr>
         <td>
          3000
         </td>
         <td>
          Kpjhkjde.exe
         </td>
        </tr>
        <tr>
         <td>
          3000
         </td>
         <td>
          Kpjhkjde.exe
         </td>
        </tr>
        <tr>
         <td>
          1612
         </td>
         <td>
          Knmhgf32.exe
         </td>
        </tr>
        <tr>
         <td>
          1612
         </td>
         <td>
          Knmhgf32.exe
         </td>
        </tr>
        <tr>
         <td>
          1156
         </td>
         <td>
          Kicmdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          1156
         </td>
         <td>
          Kicmdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          896
         </td>
         <td>
          Kgemplap.exe
         </td>
        </tr>
        <tr>
         <td>
          896
         </td>
         <td>
          Kgemplap.exe
         </td>
        </tr>
        <tr>
         <td>
          2964
         </td>
         <td>
          Knpemf32.exe
         </td>
        </tr>
        <tr>
         <td>
          2964
         </td>
         <td>
          Knpemf32.exe
         </td>
        </tr>
        <tr>
         <td>
          1644
         </td>
         <td>
          Leimip32.exe
         </td>
        </tr>
        <tr>
         <td>
          1644
         </td>
         <td>
          Leimip32.exe
         </td>
        </tr>
        <tr>
         <td>
          1596
         </td>
         <td>
          Llcefjgf.exe
         </td>
        </tr>
        <tr>
         <td>
          1596
         </td>
         <td>
          Llcefjgf.exe
         </td>
        </tr>
        <tr>
         <td>
          2648
         </td>
         <td>
          Lapnnafn.exe
         </td>
        </tr>
        <tr>
         <td>
          2648
         </td>
         <td>
          Lapnnafn.exe
         </td>
        </tr>
        <tr>
         <td>
          2764
         </td>
         <td>
          Ljibgg32.exe
         </td>
        </tr>
        <tr>
         <td>
          2764
         </td>
         <td>
          Ljibgg32.exe
         </td>
        </tr>
        <tr>
         <td>
          2820
         </td>
         <td>
          Lmgocb32.exe
         </td>
        </tr>
        <tr>
         <td>
          2820
         </td>
         <td>
          Lmgocb32.exe
         </td>
        </tr>
        <tr>
         <td>
          2812
         </td>
         <td>
          Lfpclh32.exe
         </td>
        </tr>
        <tr>
         <td>
          2812
         </td>
         <td>
          Lfpclh32.exe
         </td>
        </tr>
       </table>
      </div>
     </div>
    </li>
    <li class="warning">
     <div class="title click">
      <b>
       Drops file in System32 directory
       <span>
        64 IoCs
       </span>
      </b>
     </div>
     <div class="fold hidden scroll-x">
      <div class="hbox centered">
       <p>
        Processes:
       </p>
       <div class="tags flex">
        <span class="badge">
         Jhljdm32.exe
        </span>
        <span class="badge">
         Ncmfqkdj.exe
        </span>
        <span class="badge">
         Icjhagdp.exe
        </span>
        <span class="badge">
         Jjdmmdnh.exe
        </span>
        <span class="badge">
         Lmgocb32.exe
        </span>
        <span class="badge">
         Mlcbenjb.exe
        </span>
        <span class="badge">
         Mpjqiq32.exe
        </span>
        <span class="badge">
         Kpjhkjde.exe
        </span>
        <span class="badge">
         Kgemplap.exe
        </span>
        <span class="badge">
         Nlekia32.exe
        </span>
        <span class="badge">
         Kfbcbd32.exe
        </span>
        <span class="badge">
         Leimip32.exe
        </span>
        <span class="badge">
         Nibebfpl.exe
        </span>
        <span class="badge">
         Mlfojn32.exe
        </span>
        <span class="badge">
         Meppiblm.exe
        </span>
        <span class="badge">
         Nckjkl32.exe
        </span>
        <span class="badge">
         Jmplcp32.exe
        </span>
        <span class="badge">
         Keednado.exe
        </span>
        <span class="badge">
         Lapnnafn.exe
        </span>
        <span class="badge">
         Mbmjah32.exe
        </span>
        <span class="badge">
         Mlhkpm32.exe
        </span>
        <span class="badge">
         Ngdifkpi.exe
        </span>
        <span class="badge">
         Jnkpbcjg.exe
        </span>
        <span class="badge">
         Moanaiie.exe
        </span>
        <span class="badge">
         Mbpgggol.exe
        </span>
        <span class="badge">
         Ljmlbfhi.exe
        </span>
        <span class="badge">
         Nplmop32.exe
        </span>
        <span class="badge">
         Niikceid.exe
        </span>
        <span class="badge">
         Knmhgf32.exe
        </span>
        <span class="badge">
         Npojdpef.exe
        </span>
        <span class="badge">
         Kmgbdo32.exe
        </span>
        <span class="badge">
         Llcefjgf.exe
        </span>
        <span class="badge">
         Mmldme32.exe
        </span>
        <span class="badge">
         Ileiplhn.exe
        </span>
        <span class="badge">
         Kjifhc32.exe
        </span>
        <span class="badge">
         Mgalqkbk.exe
        </span>
        <span class="badge">
         Nenobfak.exe
        </span>
        <span class="badge">
         Ngibaj32.exe
        </span>
        <span class="badge">
         Knpemf32.exe
        </span>
        <span class="badge">
         Mofglh32.exe
        </span>
        <span class="badge">
         Mpmapm32.exe
        </span>
        <span class="badge">
         Laegiq32.exe
        </span>
        <span class="badge">
         Ipllekdl.exe
        </span>
        <span class="badge">
         Kincipnk.exe
        </span>
        <span class="badge">
         Kklpekno.exe
        </span>
        <span class="badge">
         Lfpclh32.exe
        </span>
       </div>
      </div>
      <div>
       <table class="table bordered fitted">
        <thead class="small">
         <tr>
          <th>
           description
          </th>
          <th>
           ioc
          </th>
          <th>
           process
          </th>
         </tr>
        </thead>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Jofbag32.exe
         </td>
         <td>
          Jhljdm32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Jmbckb32.dll
         </td>
         <td>
          Ncmfqkdj.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Iapebchh.exe
         </td>
         <td>
          Icjhagdp.exe
         </td>
        </tr>
        <tr>
         <td>
          File opened for modification
         </td>
         <td>
          C:\Windows\SysWOW64\Jghmfhmb.exe
         </td>
         <td>
          Jjdmmdnh.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Lfpclh32.exe
         </td>
         <td>
          Lmgocb32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Gpbgnedh.dll
         </td>
         <td>
          Mlcbenjb.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Diceon32.dll
         </td>
         <td>
          Mpjqiq32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Knmhgf32.exe
         </td>
         <td>
          Kpjhkjde.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Knpemf32.exe
         </td>
         <td>
          Kgemplap.exe
         </td>
        </tr>
        <tr>
         <td>
          File opened for modification
         </td>
         <td>
          C:\Windows\SysWOW64\Ngibaj32.exe
         </td>
         <td>
          Ncmfqkdj.exe
         </td>
        </tr>
        <tr>
         <td>
          File opened for modification
         </td>
         <td>
          C:\Windows\SysWOW64\Nodgel32.exe
         </td>
         <td>
          Nlekia32.exe
         </td>
        </tr>
        <tr>
         <td>
          File opened for modification
         </td>
         <td>
          C:\Windows\SysWOW64\Keednado.exe
         </td>
         <td>
          Kfbcbd32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Iimckbco.dll
         </td>
         <td>
          Leimip32.exe
         </td>
        </tr>
        <tr>
         <td>
          File opened for modification
         </td>
         <td>
          C:\Windows\SysWOW64\Nplmop32.exe
         </td>
         <td>
          Nibebfpl.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Mkhofjoj.exe
         </td>
         <td>
          Mlfojn32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Nldodg32.dll
         </td>
         <td>
          Meppiblm.exe
         </td>
        </tr>
        <tr>
         <td>
          File opened for modification
         </td>
         <td>
          C:\Windows\SysWOW64\Ngfflj32.exe
         </td>
         <td>
          Nckjkl32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Jjdmmdnh.exe
         </td>
         <td>
          Jmplcp32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Ancjqghh.dll
         </td>
         <td>
          Keednado.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Ljibgg32.exe
         </td>
         <td>
          Lapnnafn.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Djdfhjik.dll
         </td>
         <td>
          Mbmjah32.exe
         </td>
        </tr>
        <tr>
         <td>
          File opened for modification
         </td>
         <td>
          C:\Windows\SysWOW64\Mofglh32.exe
         </td>
         <td>
          Mlhkpm32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Gbdalp32.dll
         </td>
         <td>
          Ngdifkpi.exe
         </td>
        </tr>
        <tr>
         <td>
          File opened for modification
         </td>
         <td>
          C:\Windows\SysWOW64\Jqilooij.exe
         </td>
         <td>
          Jnkpbcjg.exe
         </td>
        </tr>
        <tr>
         <td>
          File opened for modification
         </td>
         <td>
          C:\Windows\SysWOW64\Knpemf32.exe
         </td>
         <td>
          Kgemplap.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Mbmjah32.exe
         </td>
         <td>
          Moanaiie.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Hendhe32.dll
         </td>
         <td>
          Mbpgggol.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Nplmop32.exe
         </td>
         <td>
          Nibebfpl.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Lcfqkl32.exe
         </td>
         <td>
          Ljmlbfhi.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Nhaikn32.exe
         </td>
         <td>
          Mpjqiq32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Nckjkl32.exe
         </td>
         <td>
          Nplmop32.exe
         </td>
        </tr>
        <tr>
         <td>
          File opened for modification
         </td>
         <td>
          C:\Windows\SysWOW64\Nlhgoqhh.exe
         </td>
         <td>
          Niikceid.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Papnde32.dll
         </td>
         <td>
          Knmhgf32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Kgdjgo32.dll
         </td>
         <td>
          Npojdpef.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Agmceh32.dll
         </td>
         <td>
          Kmgbdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Pikhak32.dll
         </td>
         <td>
          Llcefjgf.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Mpjqiq32.exe
         </td>
         <td>
          Mmldme32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Nodgel32.exe
         </td>
         <td>
          Nlekia32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Jhljdm32.exe
         </td>
         <td>
          Ileiplhn.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Kcacch32.dll
         </td>
         <td>
          Kjifhc32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Ihclng32.dll
         </td>
         <td>
          Kgemplap.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Mmldme32.exe
         </td>
         <td>
          Mgalqkbk.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Dnlbnp32.dll
         </td>
         <td>
          Nenobfak.exe
         </td>
        </tr>
        <tr>
         <td>
          File opened for modification
         </td>
         <td>
          C:\Windows\SysWOW64\Jjdmmdnh.exe
         </td>
         <td>
          Jmplcp32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Cgmgbeon.dll
         </td>
         <td>
          Mgalqkbk.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Hljdna32.dll
         </td>
         <td>
          Nckjkl32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Pjclpeak.dll
         </td>
         <td>
          Ngibaj32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Leimip32.exe
         </td>
         <td>
          Knpemf32.exe
         </td>
        </tr>
        <tr>
         <td>
          File opened for modification
         </td>
         <td>
          C:\Windows\SysWOW64\Llcefjgf.exe
         </td>
         <td>
          Leimip32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Aedeic32.dll
         </td>
         <td>
          Icjhagdp.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Keednado.exe
         </td>
         <td>
          Kfbcbd32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Kicmdo32.exe
         </td>
         <td>
          Knmhgf32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Lhajpc32.dll
         </td>
         <td>
          Mofglh32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Almjnp32.dll
         </td>
         <td>
          Mpmapm32.exe
         </td>
        </tr>
        <tr>
         <td>
          File opened for modification
         </td>
         <td>
          C:\Windows\SysWOW64\Lphhenhc.exe
         </td>
         <td>
          Laegiq32.exe
         </td>
        </tr>
        <tr>
         <td>
          File opened for modification
         </td>
         <td>
          C:\Windows\SysWOW64\Kincipnk.exe
         </td>
         <td>
          Kmgbdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Lapnnafn.exe
         </td>
         <td>
          Llcefjgf.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Cnjgia32.dll
         </td>
         <td>
          Nlekia32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Lnhplkhl.dll
         </td>
         <td>
          Ipllekdl.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Kklpekno.exe
         </td>
         <td>
          Kincipnk.exe
         </td>
        </tr>
        <tr>
         <td>
          File opened for modification
         </td>
         <td>
          C:\Windows\SysWOW64\Kklpekno.exe
         </td>
         <td>
          Kincipnk.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Kfbcbd32.exe
         </td>
         <td>
          Kklpekno.exe
         </td>
        </tr>
        <tr>
         <td>
          File opened for modification
         </td>
         <td>
          C:\Windows\SysWOW64\Lfpclh32.exe
         </td>
         <td>
          Lmgocb32.exe
         </td>
        </tr>
        <tr>
         <td>
          File created
         </td>
         <td>
          C:\Windows\SysWOW64\Laegiq32.exe
         </td>
         <td>
          Lfpclh32.exe
         </td>
        </tr>
       </table>
      </div>
     </div>
    </li>
    <li class="normal">
     <div class="title click">
      <b>
       Program crash
       <span>
        1 IoCs
       </span>
      </b>
     </div>
     <div class="fold hidden scroll-x">
      <div class="hbox centered">
       <p>
        Processes:
       </p>
       <div class="tags flex">
        <span class="badge">
         WerFault.exe
        </span>
       </div>
      </div>
      <div>
       <table class="table bordered fitted">
        <thead class="small">
         <tr>
          <th>
           pid
          </th>
          <th>
           pid_target
          </th>
          <th>
           process
          </th>
          <th>
           target process
          </th>
         </tr>
        </thead>
        <tr>
         <td>
          2352
         </td>
         <td>
          2636
         </td>
         <td>
          WerFault.exe
         </td>
         <td>
          Nlhgoqhh.exe
         </td>
        </tr>
       </table>
      </div>
     </div>
    </li>
    <li class="normal" data-technique-ttp="Discovery,">
     <div class="title click">
      <b>
       System Location Discovery: System Language Discovery
       <span>
        1 TTPs  64 IoCs
       </span>
      </b>
      <p>
       Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
      </p>
      <div class="tags small">
       <a class="" href="/s?q=tags:discovery">
        discovery
       </a>
      </div>
     </div>
     <div class="fold hidden scroll-x">
      <div class="flex-wrap mitre">
       <div class="row">
        <a class="normal" data-modal-ttp="T1614.001" href="https://attack.mitre.org/techniques/T1614/001" target="_blank" title="System Language Discovery">
         <div class="hbox">
          <p>
           System Language Discovery
          </p>
          <div class="flex">
          </div>
         </div>
         <span>
          T1614.001
         </span>
        </a>
       </div>
      </div>
      <div class="hbox centered">
       <p>
        Processes:
       </p>
       <div class="tags flex">
        <span class="badge">
         Jqilooij.exe
        </span>
        <span class="badge">
         Nckjkl32.exe
        </span>
        <span class="badge">
         Npojdpef.exe
        </span>
        <span class="badge">
         Moanaiie.exe
        </span>
        <span class="badge">
         Mmldme32.exe
        </span>
        <span class="badge">
         Jhljdm32.exe
        </span>
        <span class="badge">
         Kjfjbdle.exe
        </span>
        <span class="badge">
         Knmhgf32.exe
        </span>
        <span class="badge">
         Llcefjgf.exe
        </span>
        <span class="badge">
         Ngfflj32.exe
        </span>
        <span class="badge">
         Jnkpbcjg.exe
        </span>
        <span class="badge">
         Kicmdo32.exe
        </span>
        <span class="badge">
         Mbpgggol.exe
        </span>
        <span class="badge">
         Mofglh32.exe
        </span>
        <span class="badge">
         Jofbag32.exe
        </span>
        <span class="badge">
         Niebhf32.exe
        </span>
        <span class="badge">
         Mpmapm32.exe
        </span>
        <span class="badge">
         Mlcbenjb.exe
        </span>
        <span class="badge">
         Melfncqb.exe
        </span>
        <span class="badge">
         Ncmfqkdj.exe
        </span>
        <span class="badge">
         Ilncom32.exe
        </span>
        <span class="badge">
         Ipllekdl.exe
        </span>
        <span class="badge">
         Kmgbdo32.exe
        </span>
        <span class="badge">
         Kincipnk.exe
        </span>
        <span class="badge">
         Kgemplap.exe
        </span>
        <span class="badge">
         Nibebfpl.exe
        </span>
        <span class="badge">
         Nlhgoqhh.exe
        </span>
        <span class="badge">
         Kfbcbd32.exe
        </span>
        <span class="badge">
         Nhaikn32.exe
        </span>
        <span class="badge">
         Lapnnafn.exe
        </span>
        <span class="badge">
         Mbkmlh32.exe
        </span>
        <span class="badge">
         Mholen32.exe
        </span>
        <span class="badge">
         Mpjqiq32.exe
        </span>
        <span class="badge">
         Lfpclh32.exe
        </span>
        <span class="badge">
         Ngibaj32.exe
        </span>
        <span class="badge">
         Nodgel32.exe
        </span>
        <span class="badge">
         65564e578ddb54c161f7daf6ee16954126c4b51ad1e671ef5b0ac792323bec4bN.exe
        </span>
        <span class="badge">
         Ileiplhn.exe
        </span>
        <span class="badge">
         Kjifhc32.exe
        </span>
        <span class="badge">
         Keednado.exe
        </span>
        <span class="badge">
         Lmgocb32.exe
        </span>
        <span class="badge">
         Mgalqkbk.exe
        </span>
        <span class="badge">
         Ngdifkpi.exe
        </span>
        <span class="badge">
         Iipgcaob.exe
        </span>
        <span class="badge">
         Iapebchh.exe
        </span>
        <span class="badge">
         Kklpekno.exe
        </span>
        <span class="badge">
         Ljibgg32.exe
        </span>
        <span class="badge">
         Niikceid.exe
        </span>
        <span class="badge">
         Jmplcp32.exe
        </span>
        <span class="badge">
         Kpjhkjde.exe
        </span>
        <span class="badge">
         Leimip32.exe
        </span>
        <span class="badge">
         Mlhkpm32.exe
        </span>
        <span class="badge">
         Lcfqkl32.exe
        </span>
        <span class="badge">
         Mlfojn32.exe
        </span>
        <span class="badge">
         Meppiblm.exe
        </span>
        <span class="badge">
         Nekbmgcn.exe
        </span>
        <span class="badge">
         Icjhagdp.exe
        </span>
        <span class="badge">
         Jjdmmdnh.exe
        </span>
        <span class="badge">
         Jghmfhmb.exe
        </span>
        <span class="badge">
         Knpemf32.exe
        </span>
        <span class="badge">
         Laegiq32.exe
        </span>
        <span class="badge">
         Mbmjah32.exe
        </span>
        <span class="badge">
         Nlekia32.exe
        </span>
        <span class="badge">
         Mkhofjoj.exe
        </span>
       </div>
      </div>
      <div>
       <table class="table bordered fitted">
        <thead class="small">
         <tr>
          <th>
           description
          </th>
          <th>
           ioc
          </th>
          <th>
           process
          </th>
         </tr>
        </thead>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Jqilooij.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Nckjkl32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Npojdpef.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Moanaiie.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Mmldme32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Jhljdm32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Kjfjbdle.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Knmhgf32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Llcefjgf.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Ngfflj32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Jnkpbcjg.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Kicmdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Mbpgggol.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Mofglh32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Jofbag32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Niebhf32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Mpmapm32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Mlcbenjb.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Melfncqb.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Ncmfqkdj.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Ilncom32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Ipllekdl.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Kmgbdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Kincipnk.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Kgemplap.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Nibebfpl.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Nlhgoqhh.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Kfbcbd32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Nhaikn32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Lapnnafn.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Mbkmlh32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Mholen32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Mpjqiq32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Lfpclh32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Ngibaj32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Nodgel32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          65564e578ddb54c161f7daf6ee16954126c4b51ad1e671ef5b0ac792323bec4bN.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Ileiplhn.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Kjifhc32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Keednado.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Lmgocb32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Mgalqkbk.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Ngdifkpi.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Iipgcaob.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Iapebchh.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Kklpekno.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Ljibgg32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Niikceid.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Jmplcp32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Kpjhkjde.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Leimip32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Mlhkpm32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Lcfqkl32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Mlfojn32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Meppiblm.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Nekbmgcn.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Icjhagdp.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Jjdmmdnh.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Jghmfhmb.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Knpemf32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Laegiq32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Mbmjah32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Nlekia32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key opened
         </td>
         <td>
          \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
         </td>
         <td>
          Mkhofjoj.exe
         </td>
        </tr>
       </table>
      </div>
     </div>
    </li>
    <li class="">
     <div class="title click">
      <b>
       Modifies registry class
       <span>
        64 IoCs
       </span>
      </b>
     </div>
     <div class="fold hidden scroll-x">
      <div class="hbox centered">
       <p>
        Processes:
       </p>
       <div class="tags flex">
        <span class="badge">
         Lcfqkl32.exe
        </span>
        <span class="badge">
         Mpmapm32.exe
        </span>
        <span class="badge">
         Nenobfak.exe
        </span>
        <span class="badge">
         Niikceid.exe
        </span>
        <span class="badge">
         Mholen32.exe
        </span>
        <span class="badge">
         Mmldme32.exe
        </span>
        <span class="badge">
         Ngdifkpi.exe
        </span>
        <span class="badge">
         Jjdmmdnh.exe
        </span>
        <span class="badge">
         Lapnnafn.exe
        </span>
        <span class="badge">
         Mlfojn32.exe
        </span>
        <span class="badge">
         Ncmfqkdj.exe
        </span>
        <span class="badge">
         Ipllekdl.exe
        </span>
        <span class="badge">
         Ljmlbfhi.exe
        </span>
        <span class="badge">
         Jnkpbcjg.exe
        </span>
        <span class="badge">
         Lphhenhc.exe
        </span>
        <span class="badge">
         Lfdmggnm.exe
        </span>
        <span class="badge">
         Nibebfpl.exe
        </span>
        <span class="badge">
         Npojdpef.exe
        </span>
        <span class="badge">
         Iapebchh.exe
        </span>
        <span class="badge">
         Ljibgg32.exe
        </span>
        <span class="badge">
         Meppiblm.exe
        </span>
        <span class="badge">
         Ngibaj32.exe
        </span>
        <span class="badge">
         Knmhgf32.exe
        </span>
        <span class="badge">
         Llcefjgf.exe
        </span>
        <span class="badge">
         Laegiq32.exe
        </span>
        <span class="badge">
         Mbkmlh32.exe
        </span>
        <span class="badge">
         Mlcbenjb.exe
        </span>
        <span class="badge">
         Kmgbdo32.exe
        </span>
        <span class="badge">
         Nplmop32.exe
        </span>
        <span class="badge">
         Moanaiie.exe
        </span>
        <span class="badge">
         Mkhofjoj.exe
        </span>
        <span class="badge">
         65564e578ddb54c161f7daf6ee16954126c4b51ad1e671ef5b0ac792323bec4bN.exe
        </span>
        <span class="badge">
         Ilncom32.exe
        </span>
        <span class="badge">
         Kjfjbdle.exe
        </span>
        <span class="badge">
         Mbmjah32.exe
        </span>
        <span class="badge">
         Jqilooij.exe
        </span>
        <span class="badge">
         Keednado.exe
        </span>
        <span class="badge">
         Mpjqiq32.exe
        </span>
        <span class="badge">
         Jofbag32.exe
        </span>
        <span class="badge">
         Kincipnk.exe
        </span>
        <span class="badge">
         Lmgocb32.exe
        </span>
        <span class="badge">
         Kklpekno.exe
        </span>
        <span class="badge">
         Melfncqb.exe
        </span>
        <span class="badge">
         Kpjhkjde.exe
        </span>
        <span class="badge">
         Lfpclh32.exe
        </span>
        <span class="badge">
         Mbpgggol.exe
        </span>
       </div>
      </div>
      <div>
       <table class="table bordered fitted">
        <thead class="small">
         <tr>
          <th>
           description
          </th>
          <th>
           ioc
          </th>
          <th>
           process
          </th>
         </tr>
        </thead>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhmapcq.dll"
         </td>
         <td>
          Lcfqkl32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Mpmapm32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Nenobfak.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Niikceid.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhffckeo.dll"
         </td>
         <td>
          Mholen32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkdmglc.dll"
         </td>
         <td>
          Mmldme32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Ngdifkpi.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Jjdmmdnh.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apbfblll.dll"
         </td>
         <td>
          Lapnnafn.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Mlfojn32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Ncmfqkdj.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Ipllekdl.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Ljmlbfhi.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Mholen32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Jnkpbcjg.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Lphhenhc.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahaplc.dll"
         </td>
         <td>
          Lfdmggnm.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Nenobfak.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almjnp32.dll"
         </td>
         <td>
          Mpmapm32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Nibebfpl.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Npojdpef.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Iapebchh.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Ljibgg32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlmhpjh.dll"
         </td>
         <td>
          Mlfojn32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Meppiblm.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Ngibaj32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Knmhgf32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Llcefjgf.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Laegiq32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Mbkmlh32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Mlcbenjb.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Iapebchh.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Kmgbdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Nplmop32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfppiho.dll"
         </td>
         <td>
          Moanaiie.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Mkhofjoj.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpjmjp32.dll"
         </td>
         <td>
          65564e578ddb54c161f7daf6ee16954126c4b51ad1e671ef5b0ac792323bec4bN.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Ilncom32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Ipllekdl.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Kjfjbdle.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Mbmjah32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdfhjik.dll"
         </td>
         <td>
          Mbmjah32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Mmldme32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Jqilooij.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Kmgbdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Keednado.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfdghbq.dll"
         </td>
         <td>
          Ljibgg32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Lcfqkl32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Mpjqiq32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Ngibaj32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Jofbag32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnbaf32.dll"
         </td>
         <td>
          Kincipnk.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Lmgocb32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbknfbl.dll"
         </td>
         <td>
          Kklpekno.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcpbee32.dll"
         </td>
         <td>
          Melfncqb.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Meppiblm.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Npojdpef.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Ncmfqkdj.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll"
         </td>
         <td>
          Ngibaj32.exe
         </td>
        </tr>
        <tr>
         <td>
          Key created
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
         </td>
         <td>
          Kpjhkjde.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlcdpk.dll"
         </td>
         <td>
          Lfpclh32.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjngcolf.dll"
         </td>
         <td>
          Lphhenhc.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
         </td>
         <td>
          Mbpgggol.exe
         </td>
        </tr>
        <tr>
         <td>
          Set value (str)
         </td>
         <td>
          \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agmceh32.dll"
         </td>
         <td>
          Kmgbdo32.exe
         </td>
        </tr>
       </table>
      </div>
     </div>
    </li>
    <li class="">
     <div class="title click">
      <b>
       Suspicious use of WriteProcessMemory
       <span>
        64 IoCs
       </span>
      </b>
     </div>
     <div class="fold hidden scroll-x">
      <div class="hbox centered">
       <p>
        Processes:
       </p>
       <div class="tags flex">
        <span class="badge">
         65564e578ddb54c161f7daf6ee16954126c4b51ad1e671ef5b0ac792323bec4bN.exe
        </span>
        <span class="badge">
         Iipgcaob.exe
        </span>
        <span class="badge">
         Ilncom32.exe
        </span>
        <span class="badge">
         Ipllekdl.exe
        </span>
        <span class="badge">
         Icjhagdp.exe
        </span>
        <span class="badge">
         Iapebchh.exe
        </span>
        <span class="badge">
         Ileiplhn.exe
        </span>
        <span class="badge">
         Jhljdm32.exe
        </span>
        <span class="badge">
         Jofbag32.exe
        </span>
        <span class="badge">
         Jnkpbcjg.exe
        </span>
        <span class="badge">
         Jqilooij.exe
        </span>
        <span class="badge">
         Jmplcp32.exe
        </span>
        <span class="badge">
         Jjdmmdnh.exe
        </span>
        <span class="badge">
         Jghmfhmb.exe
        </span>
        <span class="badge">
         Kjfjbdle.exe
        </span>
        <span class="badge">
         Kjifhc32.exe
        </span>
       </div>
      </div>
      <div>
       <table class="table bordered fitted">
        <thead class="small">
         <tr>
          <th>
           description
          </th>
          <th>
           pid
          </th>
          <th>
           process
          </th>
          <th>
           target process
          </th>
         </tr>
        </thead>
        <tr>
         <td>
          PID 2408 wrote to memory of 2924
         </td>
         <td>
          2408
         </td>
         <td>
          65564e578ddb54c161f7daf6ee16954126c4b51ad1e671ef5b0ac792323bec4bN.exe
         </td>
         <td>
          Iipgcaob.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2408 wrote to memory of 2924
         </td>
         <td>
          2408
         </td>
         <td>
          65564e578ddb54c161f7daf6ee16954126c4b51ad1e671ef5b0ac792323bec4bN.exe
         </td>
         <td>
          Iipgcaob.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2408 wrote to memory of 2924
         </td>
         <td>
          2408
         </td>
         <td>
          65564e578ddb54c161f7daf6ee16954126c4b51ad1e671ef5b0ac792323bec4bN.exe
         </td>
         <td>
          Iipgcaob.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2408 wrote to memory of 2924
         </td>
         <td>
          2408
         </td>
         <td>
          65564e578ddb54c161f7daf6ee16954126c4b51ad1e671ef5b0ac792323bec4bN.exe
         </td>
         <td>
          Iipgcaob.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2924 wrote to memory of 1048
         </td>
         <td>
          2924
         </td>
         <td>
          Iipgcaob.exe
         </td>
         <td>
          Ilncom32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2924 wrote to memory of 1048
         </td>
         <td>
          2924
         </td>
         <td>
          Iipgcaob.exe
         </td>
         <td>
          Ilncom32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2924 wrote to memory of 1048
         </td>
         <td>
          2924
         </td>
         <td>
          Iipgcaob.exe
         </td>
         <td>
          Ilncom32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2924 wrote to memory of 1048
         </td>
         <td>
          2924
         </td>
         <td>
          Iipgcaob.exe
         </td>
         <td>
          Ilncom32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1048 wrote to memory of 2620
         </td>
         <td>
          1048
         </td>
         <td>
          Ilncom32.exe
         </td>
         <td>
          Ipllekdl.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1048 wrote to memory of 2620
         </td>
         <td>
          1048
         </td>
         <td>
          Ilncom32.exe
         </td>
         <td>
          Ipllekdl.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1048 wrote to memory of 2620
         </td>
         <td>
          1048
         </td>
         <td>
          Ilncom32.exe
         </td>
         <td>
          Ipllekdl.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1048 wrote to memory of 2620
         </td>
         <td>
          1048
         </td>
         <td>
          Ilncom32.exe
         </td>
         <td>
          Ipllekdl.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2620 wrote to memory of 2376
         </td>
         <td>
          2620
         </td>
         <td>
          Ipllekdl.exe
         </td>
         <td>
          Icjhagdp.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2620 wrote to memory of 2376
         </td>
         <td>
          2620
         </td>
         <td>
          Ipllekdl.exe
         </td>
         <td>
          Icjhagdp.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2620 wrote to memory of 2376
         </td>
         <td>
          2620
         </td>
         <td>
          Ipllekdl.exe
         </td>
         <td>
          Icjhagdp.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2620 wrote to memory of 2376
         </td>
         <td>
          2620
         </td>
         <td>
          Ipllekdl.exe
         </td>
         <td>
          Icjhagdp.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2376 wrote to memory of 2788
         </td>
         <td>
          2376
         </td>
         <td>
          Icjhagdp.exe
         </td>
         <td>
          Iapebchh.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2376 wrote to memory of 2788
         </td>
         <td>
          2376
         </td>
         <td>
          Icjhagdp.exe
         </td>
         <td>
          Iapebchh.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2376 wrote to memory of 2788
         </td>
         <td>
          2376
         </td>
         <td>
          Icjhagdp.exe
         </td>
         <td>
          Iapebchh.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2376 wrote to memory of 2788
         </td>
         <td>
          2376
         </td>
         <td>
          Icjhagdp.exe
         </td>
         <td>
          Iapebchh.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2788 wrote to memory of 2656
         </td>
         <td>
          2788
         </td>
         <td>
          Iapebchh.exe
         </td>
         <td>
          Ileiplhn.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2788 wrote to memory of 2656
         </td>
         <td>
          2788
         </td>
         <td>
          Iapebchh.exe
         </td>
         <td>
          Ileiplhn.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2788 wrote to memory of 2656
         </td>
         <td>
          2788
         </td>
         <td>
          Iapebchh.exe
         </td>
         <td>
          Ileiplhn.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2788 wrote to memory of 2656
         </td>
         <td>
          2788
         </td>
         <td>
          Iapebchh.exe
         </td>
         <td>
          Ileiplhn.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2656 wrote to memory of 2536
         </td>
         <td>
          2656
         </td>
         <td>
          Ileiplhn.exe
         </td>
         <td>
          Jhljdm32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2656 wrote to memory of 2536
         </td>
         <td>
          2656
         </td>
         <td>
          Ileiplhn.exe
         </td>
         <td>
          Jhljdm32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2656 wrote to memory of 2536
         </td>
         <td>
          2656
         </td>
         <td>
          Ileiplhn.exe
         </td>
         <td>
          Jhljdm32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2656 wrote to memory of 2536
         </td>
         <td>
          2656
         </td>
         <td>
          Ileiplhn.exe
         </td>
         <td>
          Jhljdm32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2536 wrote to memory of 2956
         </td>
         <td>
          2536
         </td>
         <td>
          Jhljdm32.exe
         </td>
         <td>
          Jofbag32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2536 wrote to memory of 2956
         </td>
         <td>
          2536
         </td>
         <td>
          Jhljdm32.exe
         </td>
         <td>
          Jofbag32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2536 wrote to memory of 2956
         </td>
         <td>
          2536
         </td>
         <td>
          Jhljdm32.exe
         </td>
         <td>
          Jofbag32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2536 wrote to memory of 2956
         </td>
         <td>
          2536
         </td>
         <td>
          Jhljdm32.exe
         </td>
         <td>
          Jofbag32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2956 wrote to memory of 484
         </td>
         <td>
          2956
         </td>
         <td>
          Jofbag32.exe
         </td>
         <td>
          Jnkpbcjg.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2956 wrote to memory of 484
         </td>
         <td>
          2956
         </td>
         <td>
          Jofbag32.exe
         </td>
         <td>
          Jnkpbcjg.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2956 wrote to memory of 484
         </td>
         <td>
          2956
         </td>
         <td>
          Jofbag32.exe
         </td>
         <td>
          Jnkpbcjg.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2956 wrote to memory of 484
         </td>
         <td>
          2956
         </td>
         <td>
          Jofbag32.exe
         </td>
         <td>
          Jnkpbcjg.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 484 wrote to memory of 1476
         </td>
         <td>
          484
         </td>
         <td>
          Jnkpbcjg.exe
         </td>
         <td>
          Jqilooij.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 484 wrote to memory of 1476
         </td>
         <td>
          484
         </td>
         <td>
          Jnkpbcjg.exe
         </td>
         <td>
          Jqilooij.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 484 wrote to memory of 1476
         </td>
         <td>
          484
         </td>
         <td>
          Jnkpbcjg.exe
         </td>
         <td>
          Jqilooij.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 484 wrote to memory of 1476
         </td>
         <td>
          484
         </td>
         <td>
          Jnkpbcjg.exe
         </td>
         <td>
          Jqilooij.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1476 wrote to memory of 1988
         </td>
         <td>
          1476
         </td>
         <td>
          Jqilooij.exe
         </td>
         <td>
          Jmplcp32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1476 wrote to memory of 1988
         </td>
         <td>
          1476
         </td>
         <td>
          Jqilooij.exe
         </td>
         <td>
          Jmplcp32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1476 wrote to memory of 1988
         </td>
         <td>
          1476
         </td>
         <td>
          Jqilooij.exe
         </td>
         <td>
          Jmplcp32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1476 wrote to memory of 1988
         </td>
         <td>
          1476
         </td>
         <td>
          Jqilooij.exe
         </td>
         <td>
          Jmplcp32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1988 wrote to memory of 1800
         </td>
         <td>
          1988
         </td>
         <td>
          Jmplcp32.exe
         </td>
         <td>
          Jjdmmdnh.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1988 wrote to memory of 1800
         </td>
         <td>
          1988
         </td>
         <td>
          Jmplcp32.exe
         </td>
         <td>
          Jjdmmdnh.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1988 wrote to memory of 1800
         </td>
         <td>
          1988
         </td>
         <td>
          Jmplcp32.exe
         </td>
         <td>
          Jjdmmdnh.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1988 wrote to memory of 1800
         </td>
         <td>
          1988
         </td>
         <td>
          Jmplcp32.exe
         </td>
         <td>
          Jjdmmdnh.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1800 wrote to memory of 2280
         </td>
         <td>
          1800
         </td>
         <td>
          Jjdmmdnh.exe
         </td>
         <td>
          Jghmfhmb.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1800 wrote to memory of 2280
         </td>
         <td>
          1800
         </td>
         <td>
          Jjdmmdnh.exe
         </td>
         <td>
          Jghmfhmb.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1800 wrote to memory of 2280
         </td>
         <td>
          1800
         </td>
         <td>
          Jjdmmdnh.exe
         </td>
         <td>
          Jghmfhmb.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1800 wrote to memory of 2280
         </td>
         <td>
          1800
         </td>
         <td>
          Jjdmmdnh.exe
         </td>
         <td>
          Jghmfhmb.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2280 wrote to memory of 2396
         </td>
         <td>
          2280
         </td>
         <td>
          Jghmfhmb.exe
         </td>
         <td>
          Kjfjbdle.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2280 wrote to memory of 2396
         </td>
         <td>
          2280
         </td>
         <td>
          Jghmfhmb.exe
         </td>
         <td>
          Kjfjbdle.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2280 wrote to memory of 2396
         </td>
         <td>
          2280
         </td>
         <td>
          Jghmfhmb.exe
         </td>
         <td>
          Kjfjbdle.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2280 wrote to memory of 2396
         </td>
         <td>
          2280
         </td>
         <td>
          Jghmfhmb.exe
         </td>
         <td>
          Kjfjbdle.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2396 wrote to memory of 1960
         </td>
         <td>
          2396
         </td>
         <td>
          Kjfjbdle.exe
         </td>
         <td>
          Kjifhc32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2396 wrote to memory of 1960
         </td>
         <td>
          2396
         </td>
         <td>
          Kjfjbdle.exe
         </td>
         <td>
          Kjifhc32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2396 wrote to memory of 1960
         </td>
         <td>
          2396
         </td>
         <td>
          Kjfjbdle.exe
         </td>
         <td>
          Kjifhc32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 2396 wrote to memory of 1960
         </td>
         <td>
          2396
         </td>
         <td>
          Kjfjbdle.exe
         </td>
         <td>
          Kjifhc32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1960 wrote to memory of 2844
         </td>
         <td>
          1960
         </td>
         <td>
          Kjifhc32.exe
         </td>
         <td>
          Kmgbdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1960 wrote to memory of 2844
         </td>
         <td>
          1960
         </td>
         <td>
          Kjifhc32.exe
         </td>
         <td>
          Kmgbdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1960 wrote to memory of 2844
         </td>
         <td>
          1960
         </td>
         <td>
          Kjifhc32.exe
         </td>
         <td>
          Kmgbdo32.exe
         </td>
        </tr>
        <tr>
         <td>
          PID 1960 wrote to memory of 2844
         </td>
         <td>
          1960
         </td>
         <td>
          Kjifhc32.exe
         </td>
         <td>
          Kmgbdo32.exe
         </td>
        </tr>
       </table>
      </div>
     </div>
    </li>
   </ul>
  </div>
 </div>
</div>
